Why corporate rivals can, and do, spy on each other

(Editor's note: Cyberspying isn't the sole province of rival nation-states. It's not uncommon for one company to poach a competitor's top sales manager – and celebrate when the new recruit brings along a customer lead list uploaded into a cloud storage account, says Darren Platt, chief technical officer of Symplified. Platt explains why in this guest essay.)

Traditionally, application access took place right on the PC. In its next phase, people used a PC to access cloud-based applications. In both of these stages, IT could run software to monitor how users were behaving within those apps.

Today, we've progressed to a stage where people use mobile devices to access apps and data residing in the Internet cloud, and IT has no control point between the apps and the users.

A recent survey revealed that only 37 percent of IT professionals have visibility into what employees are doing when logged into corporate applications, and 59 percent have experienced unauthorized data access by a user whose accounts remained active when it should have been de-provisioned.

This issue is exacerbated by the fact that the IT department is often not involved in bringing on cloud applications. This leads to a situation where there is no master list of applications.

Without that list of applications it is very difficult to determine whether an employee's account has been removed from all of the systems they had access to. The result is a common situation – where people have access to e-mail and other applications from former employers.

It is essential for IT to have a centralized Identity and Access Management (IAM) system that enables the enforcement of access policies for all of your corporate applications. This can help prevent what's called "side-door access," where a user logs into an application, such as Salesforce, directly and evades your monitoring mechanisms.

Over the last decade standards have emerged to help solve the security issues that occur as people leverage third-party applications. Products and services that implement these standard protocols enable an enterprise to leverage the cloud much more securely – preventing people from using orphaned login accounts and providing visibility into what users are doing on those third party applications.

Enterprises now have access to controls to see how corporate applications are being used and enforce policies around these applications. Here are a few best practices that can help:

First, if you haven't already, get a solution that lets you regulate application access and usage, and provide users with one username, one password and one point of login for all of the applications they use on behalf of your organization.

Second, leverage your existing identity infrastructure as the foundation for your strategy. For example, most organizations have established Active Directory as their primary system of record for employee information, and use a database to store customer information.

Use these existing repositories to confirm or deny every access request made for every application. If you maintain user profiles in multiple places, you're at risk of being compromised by "orphaned accounts" – the kind that let former colleagues back into your applications long after your relationship with them has ended.

Third, know what people are doing while logged into an application, regardless of whether it's from their desktop or their smartphone, by using a proxy-based approach to identity and access management. This will give you a detailed audit trail of all activity—it's the difference between knowing your territory manager logged into Salesforce and Box, versus knowing he uploaded that customer lead list from Salesforce to Box. You could even prevent him from uploading documents from one to the other in the first place.